Some warnings exist about a vulnerability in Rome, which is used for RSS parsing. For default installations, this isn’t problematic, since the default RSS URL is also within our control.
For users configuring rss.url to a non-default value, this might expose some amount of risk.
shows that
v1.17.0 includes the fix
v1.19.0 is available, and likely has no breaking changes
v2.1.0 is latest at time of writing, and might be an easy upgrade
We already did some work to lower our dependency on Rome. Finish that work, and don’t use a full-blown RSS stack for a little panel on the Admin homepage.
Environment
None
Activity
Show:
Guus der Kinderen November 13, 2023 at 5:48 PM
Edited
With resolved, we might not be using Rome at all anymore. Maybe we can just drop it?
Instant update: we’re still using it. Maybe we can still drop it though…
Some warnings exist about a vulnerability in Rome, which is used for RSS parsing. For default installations, this isn’t problematic, since the default RSS URL is also within our control.
For users configuring
rss.urlto a non-default value, this might expose some amount of risk.shows that
v1.17.0 includes the fix
v1.19.0 is available, and likely has no breaking changes
v2.1.0 is latest at time of writing, and might be an easy upgrade
We already did some work to lower our dependency on Rome. Finish that work, and don’t use a full-blown RSS stack for a little panel on the Admin homepage.